From 870ac30d60f7d6ab6b68d720255a960fd9772066 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 17:54:16 +0100 Subject: [PATCH 01/12] Test for codeql and signing conditions --- .github/workflows/autobuild.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 21a5bcba2d..23208378dc 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -216,6 +216,14 @@ jobs: env: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} + - name: Run if CodeQL true and steps.build.outputs.macos_signed is true + if: matrix.config.run_codeql && steps.build.outputs.macos_signed == 'true' + run: echo xxx${{ steps.build.outputs.macos_signed }}yyy + + - name: Run if CodeQL true and steps.build.outputs.macos_signed is not true + if: matrix.config.run_codeql && steps.build.outputs.macos_signed != 'true' + run: echo xxx${{ steps.build.outputs.macos_signed }}yyy + - name: Initialize CodeQL if: matrix.config.run_codeql uses: github/codeql-action/init@v1 From 67e8a40cff96df27eee8477ae7b812e92a433b93 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 18:01:20 +0100 Subject: [PATCH 02/12] Next test --- .github/workflows/autobuild.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 23208378dc..dec1d28504 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -122,22 +122,22 @@ jobs: base_command: TARGET_ARCH=armhf ./.github/autobuild/linux_deb.sh run_codeql: false - - config_name: MacOS (artifacts) + - config_name: MacOS (artifacts+CodeQL) target_os: macos # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): building_on_os: macos-10.15 base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh # Disable CodeQL on mac as it interferes with signing the binaries (signing hangs, see #2563 and #2564) - run_codeql: false + run_codeql: true xcode_version: 12.1.1 # Reminder: If Legacy is removed, be sure to add a dedicated job for CodeQL again. - - config_name: MacOS Legacy (artifacts+CodeQL) + - config_name: MacOS Legacy (artifacts) target_os: macos building_on_os: macos-10.15 base_command: QT_VERSION=5.9.9 SIGN_IF_POSSIBLE=0 ARTIFACT_SUFFIX=_legacy ./.github/autobuild/mac.sh # Enable CodeQL on mac legacy as this version does not get signed - run_codeql: true + run_codeql: false # For Qt5 on Mac, we need to ensure SDK 10.15 is used, and not SDK 11.x. # Xcode 12.1 is the most-recent release which still ships SDK 10.15: # https://developer.apple.com/support/xcode/ @@ -225,7 +225,7 @@ jobs: run: echo xxx${{ steps.build.outputs.macos_signed }}yyy - name: Initialize CodeQL - if: matrix.config.run_codeql + if: false && matrix.config.run_codeql uses: github/codeql-action/init@v1 with: languages: 'cpp' @@ -316,5 +316,5 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - if: matrix.config.run_codeql + if: false && matrix.config.run_codeql uses: github/codeql-action/analyze@v1 From fd0486746099e6560fb3a9ebcf0ac0d67f137e06 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 23:05:28 +0100 Subject: [PATCH 03/12] Output macos_signed from setup --- .github/autobuild/mac.sh | 1 + .github/workflows/autobuild.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index a38cc393e7..a8b541b50c 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -73,6 +73,7 @@ pass_artifact_to_job() { case "${1:-}" in setup) setup + prepare_signing ;; build) build_app_as_dmg_installer diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index dec1d28504..fc3dd5cd64 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -215,6 +215,11 @@ jobs: run: ${{ matrix.config.base_command }} setup env: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} + MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} + MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} + NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - name: Run if CodeQL true and steps.build.outputs.macos_signed is true if: matrix.config.run_codeql && steps.build.outputs.macos_signed == 'true' From 24cf550086d5ab91cfbfc53ffd7e659adc4c1651 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 23:10:15 +0100 Subject: [PATCH 04/12] Give id to setup step and test its output --- .github/workflows/autobuild.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index fc3dd5cd64..90511abe25 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -212,6 +212,7 @@ jobs: key: ${{ matrix.config.target_os }}-${{ hashFiles('.github/workflows/autobuild.yml', '.github/autobuild/android.sh') }}-${{ matrix.config.base_command }} - name: Set up build dependencies for ${{ matrix.config.config_name }} + id: setup run: ${{ matrix.config.base_command }} setup env: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} @@ -222,11 +223,11 @@ jobs: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - name: Run if CodeQL true and steps.build.outputs.macos_signed is true - if: matrix.config.run_codeql && steps.build.outputs.macos_signed == 'true' + if: matrix.config.run_codeql && steps.setup.outputs.macos_signed == 'true' run: echo xxx${{ steps.build.outputs.macos_signed }}yyy - name: Run if CodeQL true and steps.build.outputs.macos_signed is not true - if: matrix.config.run_codeql && steps.build.outputs.macos_signed != 'true' + if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' run: echo xxx${{ steps.build.outputs.macos_signed }}yyy - name: Initialize CodeQL From fde5a10b8cd52126f4f3d177cce24186750a02a7 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 23:13:41 +0100 Subject: [PATCH 05/12] More corrections --- .github/workflows/autobuild.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 90511abe25..da8c746ca7 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -222,13 +222,13 @@ jobs: NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - - name: Run if CodeQL true and steps.build.outputs.macos_signed is true + - name: Run if CodeQL true and steps.setup.outputs.macos_signed is true if: matrix.config.run_codeql && steps.setup.outputs.macos_signed == 'true' - run: echo xxx${{ steps.build.outputs.macos_signed }}yyy + run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy - - name: Run if CodeQL true and steps.build.outputs.macos_signed is not true + - name: Run if CodeQL true and steps.setup.outputs.macos_signed is not true if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' - run: echo xxx${{ steps.build.outputs.macos_signed }}yyy + run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy - name: Initialize CodeQL if: false && matrix.config.run_codeql From 3b42770ff8bb6e61f461d6fb9f4b6490de4aff68 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 23:21:36 +0100 Subject: [PATCH 06/12] Only run CodeQL for Mac when not signing build --- .github/workflows/autobuild.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index da8c746ca7..b1e24e25c8 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -222,6 +222,7 @@ jobs: NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + # This step and the next can be removed after completion of debugging - name: Run if CodeQL true and steps.setup.outputs.macos_signed is true if: matrix.config.run_codeql && steps.setup.outputs.macos_signed == 'true' run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy @@ -229,9 +230,10 @@ jobs: - name: Run if CodeQL true and steps.setup.outputs.macos_signed is not true if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy + # end of steps to be removed - name: Initialize CodeQL - if: false && matrix.config.run_codeql + if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' uses: github/codeql-action/init@v1 with: languages: 'cpp' @@ -322,5 +324,5 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - if: false && matrix.config.run_codeql + if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' uses: github/codeql-action/analyze@v1 From 5f3bd07a08001cc5ffa9318f798eea396606bde9 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Wed, 30 Mar 2022 23:28:03 +0100 Subject: [PATCH 07/12] Ignore return from prepare_signing during setup --- .github/autobuild/mac.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index a8b541b50c..615c9a7250 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -73,7 +73,7 @@ pass_artifact_to_job() { case "${1:-}" in setup) setup - prepare_signing + prepare_signing || true ;; build) build_app_as_dmg_installer From 3ac2f7392935556662024a820f566f516a439e0e Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Thu, 31 Mar 2022 11:29:41 +0100 Subject: [PATCH 08/12] Adjust comments and remove test steps --- .github/autobuild/mac.sh | 2 ++ .github/workflows/autobuild.yml | 15 ++------------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index 615c9a7250..a656183223 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -73,6 +73,8 @@ pass_artifact_to_job() { case "${1:-}" in setup) setup + # set up the macos_signed output if needed, but prevent + # a return status of 1 from propagating to the script exit status. prepare_signing || true ;; build) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index b1e24e25c8..0b56452069 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -127,16 +127,15 @@ jobs: # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): building_on_os: macos-10.15 base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh - # Disable CodeQL on mac as it interferes with signing the binaries (signing hangs, see #2563 and #2564) + # run_codeql will be ignored in the steps below if building a signed image + # for Mac, as it causes the signing process to hang. See #2563 and #2564. run_codeql: true xcode_version: 12.1.1 - # Reminder: If Legacy is removed, be sure to add a dedicated job for CodeQL again. - config_name: MacOS Legacy (artifacts) target_os: macos building_on_os: macos-10.15 base_command: QT_VERSION=5.9.9 SIGN_IF_POSSIBLE=0 ARTIFACT_SUFFIX=_legacy ./.github/autobuild/mac.sh - # Enable CodeQL on mac legacy as this version does not get signed run_codeql: false # For Qt5 on Mac, we need to ensure SDK 10.15 is used, and not SDK 11.x. # Xcode 12.1 is the most-recent release which still ships SDK 10.15: @@ -222,16 +221,6 @@ jobs: NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - # This step and the next can be removed after completion of debugging - - name: Run if CodeQL true and steps.setup.outputs.macos_signed is true - if: matrix.config.run_codeql && steps.setup.outputs.macos_signed == 'true' - run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy - - - name: Run if CodeQL true and steps.setup.outputs.macos_signed is not true - if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' - run: echo xxx${{ steps.setup.outputs.macos_signed }}yyy - # end of steps to be removed - - name: Initialize CodeQL if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' uses: github/codeql-action/init@v1 From 42bf935d115a56c4457b32ef3560da8052f5db36 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Mon, 4 Apr 2022 23:02:22 +0100 Subject: [PATCH 09/12] Add some missing spaces --- .github/workflows/autobuild.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 0b56452069..1baacb2b3b 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -69,7 +69,7 @@ jobs: run: python3 ${{ github.workspace }}/.github/actions_scripts/analyse_git_reference.py id: get-build-vars - - name: Remove release ${{steps.get-build-vars.outputs.RELEASE_TAG}}, if existing + - name: Remove release ${{ steps.get-build-vars.outputs.RELEASE_TAG }}, if existing if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true' continue-on-error: true uses: dev-drprasad/delete-tag-and-release@v0.1.2 @@ -79,7 +79,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Create Release ${{steps.get-build-vars.outputs.RELEASE_TAG}} ${{steps.get-build-vars.outputs.RELEASE_TITLE}} + - name: Create Release ${{ steps.get-build-vars.outputs.RELEASE_TAG }} ${{ steps.get-build-vars.outputs.RELEASE_TITLE }} if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true' id: create-release uses: actions/create-release@v1 @@ -215,7 +215,7 @@ jobs: run: ${{ matrix.config.base_command }} setup env: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} @@ -232,7 +232,7 @@ jobs: run: ${{ matrix.config.base_command }} build env: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} From c2c951a8c113d295b6c653b78731846366125d48 Mon Sep 17 00:00:00 2001 From: Tony Mountifield Date: Thu, 7 Apr 2022 15:50:44 +0100 Subject: [PATCH 10/12] Refactor the signing checks for Mac Also rename the output for disabling codeql explicitly. --- .github/autobuild/mac.sh | 16 ++++++++++++---- .github/workflows/autobuild.yml | 4 ++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index a656183223..bbb3037438 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -23,7 +23,7 @@ setup() { fi } -prepare_signing() { +check_if_signing() { [[ "${SIGN_IF_POSSIBLE:-0}" == "1" ]] || return 1 # Signing was requested, now check all prerequisites: @@ -35,6 +35,14 @@ prepare_signing() { echo "Signing was requested and all dependencies are satisfied" + # Tell Github Workflow to disable CodeQL as it interferes with signing + echo "::set-output name=disable_codeql::true" + return 0 +} + +prepare_signing() { + check_if_signing || return 1 + # Put the cert to a file echo "${MACOS_CERTIFICATE}" | base64 --decode > certificate.p12 @@ -73,9 +81,9 @@ pass_artifact_to_job() { case "${1:-}" in setup) setup - # set up the macos_signed output if needed, but prevent - # a return status of 1 from propagating to the script exit status. - prepare_signing || true + # check whether signing will be used and prevent + # a return status of 1 from propagating to the script exit status. + check_if_signing || true ;; build) build_app_as_dmg_installer diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 1baacb2b3b..fad6415019 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -222,7 +222,7 @@ jobs: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - name: Initialize CodeQL - if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' + if: matrix.config.run_codeql && steps.setup.outputs.disable_codeql != 'true' uses: github/codeql-action/init@v1 with: languages: 'cpp' @@ -313,5 +313,5 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - if: matrix.config.run_codeql && steps.setup.outputs.macos_signed != 'true' + if: matrix.config.run_codeql && steps.setup.outputs.disable_codeql != 'true' uses: github/codeql-action/analyze@v1 From e554a71baa5253d10902edf935c57e5bfdcf99b9 Mon Sep 17 00:00:00 2001 From: ann0see <20726856+ann0see@users.noreply.github.com> Date: Sat, 30 Apr 2022 22:55:55 +0200 Subject: [PATCH 11/12] Add spacing as requested --- .github/autobuild/mac.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index bbb3037438..ab65520c48 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -82,7 +82,7 @@ case "${1:-}" in setup) setup # check whether signing will be used and prevent - # a return status of 1 from propagating to the script exit status. + # a return status of 1 from propagating to the script exit status. check_if_signing || true ;; build) From 60fc9c0735f40341efecd9c8b1a9c01e10dee68d Mon Sep 17 00:00:00 2001 From: ann0see <20726856+ann0see@users.noreply.github.com> Date: Sat, 30 Apr 2022 22:57:34 +0200 Subject: [PATCH 12/12] Apply spacing fix again --- .github/autobuild/mac.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index ab65520c48..bbb3037438 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -82,7 +82,7 @@ case "${1:-}" in setup) setup # check whether signing will be used and prevent - # a return status of 1 from propagating to the script exit status. + # a return status of 1 from propagating to the script exit status. check_if_signing || true ;; build)